MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ad7e91af55a1e48ca702b1d8d4127a830688dd026df1c485a3e6c2bdd72ac336. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuasarRAT

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	ad7e91af55a1e48ca702b1d8d4127a830688dd026df1c485a3e6c2bdd72ac336
SHA3-384 hash:	bcd29c620997212fbcba93ce4a73069a1863b32fafcd00b466f1d25f9220c20adf96697b086432489554310b61b9caa5
SHA1 hash:	c4d20147bc88674ee827d992150be808a37d3294
MD5 hash:	dddb306432509cb10e165663f8744585
humanhash:	kilo-whiskey-mirror-delta
File name:	update_2.exe
Download:	download sample
Signature	QuasarRAT Create hunting rule
File size:	29'184 bytes
First seen:	2022-10-09 06:43:24 UTC
Last seen:	2022-10-09 07:02:28 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	9683ef79de5ce4e729e1231235baa48b (1 x QuasarRAT)
ssdeep	384:Vkbs/YT5B4DLXnNCkRfQUb9q7ZCVs67Kj5wWyb068sexmYS3R52y:DO2DnpZPb9q7ZC45wWyb068sexmN3rN
Threatray	5'311 similar samples on MalwareBazaar
TLSH	T145D25B37B666DCC9E7392B74C4521A168C74396387708BCBF38502751DF2291FE26AE8
TrID	48.7% (.EXE) Win64 Executable (generic) (10523/12/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter	JAMESWT_WT
Tags:	afterburner-msi exe QuasarRAT

Intelligence

File Origin

# of uploads :

# of downloads :

430

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/318001/

Detection(s):

SecuriteInfo.com.Generic-EXE.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/42086/overview

Behaviour

MalwareBazaar

MeasuringTime

CallSleep

EvasionQueryPerformanceCounter

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

obfuscated

Link:

https://www.filescan.io/uploads/63426db4c38235ca25e4007c/reports/fed46984-b63f-4df5-a305-653990d37872/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/fa6c369f-30f0-496d-8f69-e2635cd45bc6

Result

Threat name:

Quasar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1086443

Signature

Bypasses PowerShell execution policy

Connects to a pastebin service (likely for C&C)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Installs a global keyboard hook

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Snort IDS alert for network traffic

Suspicious powershell command line found

Very long command line found

Yara detected Quasar RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ad7e91af55a1e48ca702b1d8d4127a830688dd026df1c485a3e6c2bdd72ac336/

Threat name:

ByteCode-MSIL.Adware.RedCap

Status:

Malicious

First seen:

2022-09-24 22:01:05 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

17 of 26 (65.38%)

Threat level:

1/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vv7jdl2vuhsizjycwhmniet2qmdirxicnxy4jbnd43bl3vzkym3a._file

Verdict:

malicious

QuasarRAT

2db4047cdf74b73741a4f49ea9764f31f1dc592e0c8699d8abad54e643835247

QuasarRAT

344bfda08e4286ce26dbea13bc9e48892f297e8fb74c1c5eec47a6a2047da3be

QuasarRAT

4491bb41f0c1b41f17964834db747576ef873f9d1a999e2b78f39e7798281ee4

QuasarRAT

5193e7d006b375ac296ea34ab8917842faf6e0eeea196ad9319ea28d8ffcab30

QuasarRAT

5a94c5fee27b53c98286774dddf29892ee25e6326e1db3e22db264766af39889

QuasarRAT

a28c4292d9fb2864efc2d8dae2fd6b11cf453536064d5ba85827e438bbd2418d

QuasarRAT

e8b1a240c6fad4dd2e7bd0b08a0681131f2804d64d58869e60ad333cddc58cb0

QuasarRAT

+ 5'301 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/221009-hhg9vsgfak/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Blocklisted process makes network request

Verdict:

Informative

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/4a92efc0-426a-4aeb-8af1-12c32fa450c5

Unpacked files

SH256 hash:

a268b39ef100a8271e17f5bd64678c988cb6209d32b76ad7874c504f340c92f4

MD5 hash:

08c41b8ff5dce9624ccf01a854434635

SHA1 hash:

90775af8d275bf9147a7ab234d5ba9f9d39a1621

Link:

https://www.unpac.me/results/35a961c3-9c92-4045-87b0-1192f3f11a57/

SH256 hash:

ad7e91af55a1e48ca702b1d8d4127a830688dd026df1c485a3e6c2bdd72ac336

MD5 hash:

dddb306432509cb10e165663f8744585

SHA1 hash:

c4d20147bc88674ee827d992150be808a37d3294

Link:

https://www.unpac.me/results/35a961c3-9c92-4045-87b0-1192f3f11a57/

Malware family:

QuasarRAT

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ad7e91af55a1/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ad7e91af55a1e48ca702b1d8d4127a830688dd026df1c485a3e6c2bdd72ac336

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	SUSP_PowerShell_Base64_Decode Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects PowerShell code to decode Base64 data. This can yield many FP

Rule name:	SUSP_PS1_FromBase64String_Content_Indicator_RID3714 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious base64 encoded PowerShell expressions
Reference:	https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/318001/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample